Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Best way to NO SGX mode

X99
New Contributor I
‎02-03-2022 07:17 AM
1,109 Views
Solved Jump to solution

Hi.

Let's say that a program has a process that can be done within an enclave or not. Some encryption for example.

Is there a way to have a function and decide at runtime if it will execute in an enclave or not?

Thanks in advance.

0 Kudos
1 Solution
JesusG_Intel
Moderator
‎02-03-2022 08:40 AM
1,092 Views
Solved Jump to solution

Hello X99,


You can implement foo() in a static library and link it to both your enclave and your untrusted app. This way, both the untrusted app or your enclave can call the function and you write the code only once. You can link a static library with your enclave as long as it does not have any dependencies. You can read more about linking with libraries in the SGX Developer Reference for your OS.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

Copy link

Link Copied

5 Replies
JesusG_Intel
Moderator
‎02-03-2022 08:18 AM
1,098 Views
Solved Jump to solution

Hello X99,


The untrusted application must decide which code path to take based on the status of SGX on the platform. Fortunately, the SGX SDK provides several functions that help you detect the status of SGX.

 

Navigate to Section Intel® Software Guard Extensions SDK Feature-Detection Functions in Properly Detecting Intel® Software Guard Extensions (Intel® SGX) in Your Applications for a full explanation of these functions. Scroll down further for code samples.


The functions are:

  • sgx_is_capable()
  • sgx_cap_enable_device()
  • sgx_cap_get_status()
  • sgx_enable_device()


Sincerely,

Jesus G.

Intel Customer Support


Copy link
X99
New Contributor I
‎02-03-2022 08:23 AM
1,095 Views
Solved Jump to solution

Off to a great start, thanks!

To be more precise, let's say that I have a function "foo" that does the sensitive processing.

At runtime, let's say that the untrusted app uses one of the functions you mentioned to decide whether it will use an enclave or not.

How can I build my app so that foo can be called either as being part of an enclave or not? Should I duplicate the function to have a copy in an enclave and a copy in a standard, untrusted executable? Or is there a way to avoid such code duplication?

0 Kudos
Copy link
JesusG_Intel
Moderator
‎02-03-2022 08:40 AM
1,093 Views
Solved Jump to solution

Hello X99,


You can implement foo() in a static library and link it to both your enclave and your untrusted app. This way, both the untrusted app or your enclave can call the function and you write the code only once. You can link a static library with your enclave as long as it does not have any dependencies. You can read more about linking with libraries in the SGX Developer Reference for your OS.


Sincerely,

Jesus G.

Intel Customer Support


Copy link
X99
New Contributor I
‎02-03-2022 08:42 AM
1,089 Views
Solved Jump to solution

That's all the info I was searching for, thanks!

0 Kudos
Copy link
JesusG_Intel
Moderator
‎02-03-2022 02:10 PM
1,076 Views
Solved Jump to solution

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.